Tip

Ingress firewall rules for the Cisco Security Monitoring, Analysis, and Response System

Gary Halleen and Greg Kellogg

The Cisco Security Monitoring, Analysis, and Response System (CS-MARS) is a topology-aware SIM product. Because it holds sensitive information, it's important for VARs to configure it to establish authentication, information and rediscovery protocols. This tip covers how to establish ingress firewall rules for CS-MARS.

    Requires Free Membership to View

Learn more about CS-MARS
Establish egress firewall rules for CS-MARS
To simplify the work involved, you should define some network object groups on your firewall. If you're not familiar with this term, think of object groups as variables that you can use while configuring the firewall to make life easier. Rather than referring to a large list of IP addresses or TCP/UDP ports, you can simply refer to a name instead. The following examples use an object group called CORP_NET, which consists of all IP addresses used on your organization's network.

Ingress traffic refers to traffic that is inbound to a firewall (toward CS-MARS) from a less trusted network. Figure 4-1 shows both ingress traffic and egress traffic, or traffic that leaves CS-MARS to go toward the less trusted network.

Figure 4-1 Ingress and Egress Traffic

The following ingress rules are a good starting point for most companies:

Step 1 Permit syslog and SNMP trap traffic (UDP 162 and 514) from security operations (SecOps).
Step 2 Permit NetFlow traffic (UDP 2049) from SecOps.
Step 3 Permit HTTPS (TCP 443) from SecOps if a large number of people will be accessing the web console of MARS to run ad hoc reports. Otherwise, permit HTTPS to a restricted range of addresses.
Step 4 Permit SSH (TCP 22) to a very restricted set of addresses. If the security management network has its own VPN gateway, which might be a function of the firewall, you might want to require administrators to establish a VPN connection before permitting SSH.
Step 5 Permit HTTP (TCP 80) from any monitored web servers running iPlanet or Apache. If you're using NetCache appliances, permit HTTP from it as well.
Step 6 If your MARS deployment consists of multiple MARS LCs that communicate to a centralized MARS GC, permit required management traffic between those systems (TCP 443 and 8444).
Step 7 Deny all other traffic.

Continue reading to learn about egress firewall rules for the Cisco Security Monitoring, Analysis, and Response System (CS-MARS).

Reproduced from Chapter four of the book Security Monitoring with Cisco Security MARS by Gary Halleen and Greg Kellogg. Copyright 2007, Cisco Systems, Inc. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other uses.


This was first published in August 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.